The Internet Security Threat Report provides an overview and analysis of the year in global threat activity. The report is based on data from the Symantec Global Intelligence Network, which Symantec’s analysts use to identify, analyze, and provide commentary on emerging trends in the dynamic threat landscape. 2014 Internet Security Threat Report, Volume 19 Above.
Highlights from the 2014 Internet Security Threat Report
- 91% increase in targeted attacks campaigns in 2013
- 62% increase in the number of breaches in 2013
- Over 552M identities were exposed via breaches in 2013
- 23 zero-day vulnerabilities discovered
- 38% of mobile users have experienced mobile cybercrime in past 12 months
- Spam volume dropped to 66% of all email traffic
- 1 in 392 emails contain a phishing attacks
- Web-based attacks are up 23%
- 1 in 8 legitimate websites have a critical vulnerability
The figures show that the number of data breaches suffered by organizations in 2013 increased by 62% compared to 2012. A total of 552 million identifies were exposed last year, compared to 93 million exposed in 2012.
As far as mega data breaches are concerned, a total of 8 were reported in 2013. That’s a lot if we consider that only one was reported in 2012.
“One mega breach can be worth 50 smaller attacks. While the level of sophistication continues to grow among attackers, what was surprising last year was their willingness to be a lot more patient – waiting to strike until the reward is bigger and better,” said Kevin Haley, director of Symantec Security Response.
Over ten million data records were lost in each of the 2013 mega breaches, providing cybercriminals with payment card data, bank account details, passwords and even medical records.
“Nothing breeds success like success – especially if you’re a cybercriminal,” Haley noted. “The potential for huge paydays means large-scale attacks are here to stay. Companies of all sizes need to re-examine, re-think and possibly re-architect their security posture.”
As far as targeted attacks are concerned, the report shows that their number increased by 91%. Each attack lasted, on average, three times longer than in the previous year. Individuals working in PR and personal assistants were the most attractive targets in such operations.
A total of 23 zero-days were uncovered last year and experts have found that one in eight websites contain critical vulnerabilities. Web-based attacks have reportedly increased by 23%.
When it comes to mobile threats, 38% of smartphone users have witnessed cybercriminal activities. The only good news is that the volume of spam has slightly dropped to 66% of all email traffic.
“Security incidents, managed well, can actually enhance customer perceptions of a company; managed poorly, they can be devastating. If customers lose trust in a company because of the way the business handles personal data and privacy, they will easily take their business elsewhere,” explained Ed Ferrara, VP and principal analyst at Forrester Research.
The complete Symantec Internet Security Threat Report (ISTR), Volume 19, is available for download on the company’s website. The report also contains recommendations on the steps that businesses and consumers can take to protect themselves against cyber threats.
Mega Data Breach
While 2011 was hailed by many as the “Year of the Data Breach,” breaches in 2013 far surpassed previous years in size and scale. For 2013, we found the number of data breaches grew 62 percent from 2012, translating to more than 552 million identities exposed last year – an increase of 368 percent. This was also the first year that the top eight data breaches each resulted in the loss of tens of millions of identities – making it truly the year of the “mega” data breach. By comparison, only one data breach in 2012 reached that distinction.
Attackers set their sights on medium-sized businesses
If you’ve been following our reports, you know that small and medium-sized businesses (SMBs) are a key target for attackers, and this year proved no exception to the trend. In 2013, SMBs collectively made up more than half of all targeted attacks at 61 percent – up from 50 percent in 2012 – with medium-sized (2,500+ employees) businesses seeing the largest increase.
Attacks against businesses of all sizes grew, with an overall increase of 91 percent from 2012. Similar to last year, cybercriminals deployed watering hole attacks and spear-phishing to increase the efficiency of their campaigns. However, spear-phishing campaigns were down 23 percent, with cybercriminals relying less on emails to carry out their attack campaigns. Watering hole attacks allowed the bad guys to run more campaigns through drive-by-downloads, targeting victims at the websites they frequently visit. Efforts were also aided by a 61 percent increase in zero-day vulnerabilities, which allowed attackers to set up on poorly patched sites and infect their victims with little or no additional effort required.
Government remained the most targeted industry (16 percent of all attacks). This year we looked at not only the volume of attacks but also at who are the preferred targets and what are the odds of being singled out. The bad news is that no one faces favorable odds and we all need to be concerned about targeted attacks. However, looking at the odds produced some surprises. If you’re a personal assistant working at a mid-sized mining company, I have bad news for you – you topped the “most wanted” list for attackers.
Mobile malware and madware invades consumers’ privacy
While many people download new apps to their mobile devices without a second thought, many malicious apps contain highly annoying or unwanted capabilities. Of the new malware threats written in 2013, 33 percent tracked users and 20 percent collected data from infected devices. 2013 also saw the first remote access toolkits (or RATs) begin to appear for Android devices. When running on a device, these RATs can monitor and make phone calls, read and send SMS messages, get the device’s GPS coordinates, activate and use the camera and microphone and access files stored on the device – all without the knowledge or consent of the victim.
Ransomware growth explodes and turns even more vicious
As we had previously predicted, ransomware, the malicious software that locks computers and files, grew rapidly in 2013. Ransomware saw an explosive 500 percent growth over last year and remained a highly profitable enterprise for the bad guys, netting $100 to $500 USD for each successful ransom payment. We also saw attackers become more vicious by holding data hostage through high-end encryption and threatening to delete the information forever if the fee was not paid within the given time limit.
The future of identity theft: The Internet of Things
Which of these things have been hacked in the past year: a refrigerator or a baby monitor? When I ask customers this question, they often reply, “Both.” The correct answer is the baby monitor. Despite what you may have heard on the news, Internet connected refrigerators have yet to be attacked. But never say never. Security researchers in 2013 demonstrated that attacks against cars, security cameras, televisions and medical equipment are all possible. The refrigerator’s time will come. The Internet of Things (IoT) is on its way and related threats are sure to follow. In this year’s report, we talk about what we’ve seen so far, and the consensus is that the Internet connected device at most risk of attack today is the home router.
What comes next? With personal details and financial information being stored on IoT devices, it’s only a matter of time before we find a true case of a refrigerator being hacked. Right now, security is an afterthought for most manufacturers and users of these devices, and it will likely take a major security incident before it is seriously considered. However, by starting the conversation now about the potential security risks, we will be that much more prepared when that day comes. This year’s ISTR starts the conversation.
A Vanson Bourne study commissioned by IT security company McAfee analyzes advanced evasion techniques (AETs) and their role in sophisticated cyberattacks. The report also focuses on the controversy and confusion surrounding this topic.
The report reveals that 22% of respondents admit having their networks breached in the last 12 months. 40% of them believe AETs have played an important role in the intrusion.
The organizations that have suffered data breaches reported costs of upwards of $1 million (€730,000).
“We are no longer dealing with the random drive-by scanner that is just looking for obvious entryways into your network. In today’s interconnected world, we are dealing with adversaries who spend weeks or months studying your public facing network footprint, looking for that one small sliver of light which will allow them to gain a foothold into your networks,” noted John Masserini, VP and CSO of MIAX Options.
“Advanced Evasion Techniques are that sliver of light. When deployed, McAfee’s Next Generation Firewall technology adds an extra layer of depth to protect against such threats, making that sliver of light that much harder to find,” Masserini added.
The study shows that it’s not an easy task to convince a company’s board that AETs are a serious threat and that they need to implement appropriate technology in order to guard systems against them. In fact, two thirds of respondents have named this the biggest challenge.
Close to 40% of those surveyed say they don’t believe they have what it takes to detect and track AETs.
“Many organizations are so intent of identifying new malware that they are falling asleep at the wheel toward advanced evasion techniques that can enable malware to circumvent their security defences,” said Jon Oltsik, senior principal analyst, Enterprise Strategy Group.
“AETs pose a great threat because most security solutions can’t detect or stop them. Security professionals and executive managers need to wake up as this is a real and growing threat.”
The existence of AETs came to light back in 2010, when Stonesoft (a company acquired by McAfee in 2013) discovered them. McAfee says there are around 800 million known AETs and only less than 1% of them are detected by the security solutions of other companies.
Disclosures about America’s own focus on cyberweaponry — including American-led attacks on Iran’s nuclear infrastructure and National Security Agency documents revealed in the trove taken by Edward J. Snowden, the former agency contractor — detail the degree to which the United States has engaged in what the intelligence world calls “cyberexploitation” of targets in China.
The revelation by The New York Times and the German magazine Der Spiegel that the United States has pierced the networks of Huawei, China’s giant networking and telecommunications company, prompted Mr. Xi to raise the issue with Mr. Obama at a meeting in The Hague two weeks ago. The attack on Huawei, called Operation Shotgiant, was intended to determine whether the company was a front for the army, but also focused on learning how to get inside Huawei’s networks to conduct surveillance or cyberattacks against countries — Iran, Cuba, Pakistan and beyond — that buy the Chinese-made equipment. Other cyberattacks revealed in the documents focused on piercing China’s major telecommunications companies and wireless networks, particularly those used by the Chinese leadership and its most sensitive military units.
Mr. Obama told the Chinese president that the United States, unlike China, did not use its technological powers to steal corporate data and give it to its own companies; its spying, one of Mr. Obama’s aides later told reporters, is solely for “national security priorities.” But to the Chinese, for whom national and economic security are one, that argument carries little weight.
“We clearly don’t occupy the moral high ground that we once thought we did,” said one senior administration official.
For that reason, the disclosures changed the discussion between the top officials at the Pentagon and the State Department and their Chinese counterparts in quiet meetings intended to work out what one official called “an understanding of rules of the road, norms of behavior,” for China and the United States.
“It’s clear that cyberspace is already militarized, because we’ve seen countries using cyber for military purposes for 15 years,” said James Lewis, an expert at the Center for Strategic and International Studies. “The Chinese have had offensive capabilities for years as well,” he said, along with “more than a dozen countries that admit they are developing them.”
800 CIOs and security managers from the US, the UK, Germany, France, Australia, South Africa and Brazil have taken part in the survey.
The largest threat is cyber espionage. Governments using electronic means to conduct corporate espionage or even traditional espionage remotely has become a sensitive topic in diplomatic circles, especially in light of the Snowden revelations about the NSA’s activities.
National Security Agency is dramatically expanding its ability to covertly hack into computers on a mass scale by using automated systems that reduce the level of human oversight in the process.
Sources: http://www.symantec.com/security_response/publications/threatreport.jsp , http://news.softpedia.com/news/40-of-Breached-Organizations-Believe-AETs-Played-a-Key-Role-in-the-Attack-434933.shtml , http://www.nytimes.com/2014/04/07/world/us-tries-candor-to-assure-china-on-cyberattacks.html?_r=0 , http://www.symantec.com/connect/blogs/2013-internet-security-threat-report-year-mega-data-breach